BLACKNURSE

it CAN bring you down

Only do testing on firewalls and routers that you own

Blacknurse is a low bandwidth ICMP attack that is capable of doing denial of service to well known firewalls.

Most ICMP attacks that we see are based on ICMP Type 8 Code 0 also called a ping flood attack.

BlackNurse is based on ICMP with Type 3 Code 3 packets. We know that when a user has allowed ICMP Type 3 Code 3 to outside interfaces, the BlackNurse attack becomes highly effective even at low bandwidth.

Low bandwidth is in this case around 15-18 Mbit/s. This is to achieve the volume of packets needed which is around 40 to 50K packets per second. It does not matter if you have a 1 Gbit/s Internet connection.

The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops.

Please provide us with information on firewalls and routers that are affected by BlackNurse - you can send information toinfo@blacknurse.dk, and we will maintain a list of products on BlackNurse.dk.

The best way to test if your systems are vulnerable, is to allow ICMP on the WAN side of you firewall and do some testing with Hping3. When attacking the outside wan, try to do some internet surfing from the inside and out. In our test we used an Ubuntu installation with Hping3 installed. When testing, you have to be able to reach outbound internet speed of at least 15-18 Mbit/s.

Use Hping3 with one of the following commands:

hping3 -1 -C 3 -K 3 -i u20 <target ip>

hping3 -1 -C 3 -K 3 --flood <target ip>

Based on our test, we know that a reasonable sized laptop can produce approx. a 180 Mbit/s DoS attack with these commands. We have also made tests using a Nexus 6 mobile phone with Nethunter/Kali which only can produce 9.5 Mbit/s and therefore cannot single-handedly perform the BlackNurse attack.

HAPPY TESTING!

Please read the full report for help to mitigate the attack, including detection rules, details of the testing done so far and more nice knowlegde.